From 4c48bae74f6fa0a3c00157d4f6908a89df13ec15 Mon Sep 17 00:00:00 2001
From: CaptainB <bin@fit2cloud.com>
Date: Tue, 4 Jun 2024 17:05:36 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Djenkins=E6=89=A7?=
 =?UTF-8?q?=E8=A1=8C=E6=8E=A5=E5=8F=A3=E5=9C=BA=E6=99=AF=E4=B8=8D=E8=83=BD?=
 =?UTF-8?q?=E6=AD=A3=E5=B8=B8=E6=9F=A5=E7=9C=8B=E7=BB=93=E6=9E=9C=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 framework/sdk-parent/sdk/pom.xml              | 37 +++++++++++++++++++
 .../autoconfigure/ShiroConfig.java            |  8 ----
 .../base/mapper/ext/ExtCheckOwnerMapper.java  |  2 +-
 .../base/mapper/ext/ExtCheckOwnerMapper.xml   | 15 +++++---
 .../RestControllerExceptionHandler.java       |  2 +-
 .../security/CheckOwnerAspect.java            | 36 ++++++++++++++++--
 pom.xml                                       |  4 +-
 7 files changed, 83 insertions(+), 21 deletions(-)

diff --git a/framework/sdk-parent/sdk/pom.xml b/framework/sdk-parent/sdk/pom.xml
index 3d0401513f..80d23a0a20 100644
--- a/framework/sdk-parent/sdk/pom.xml
+++ b/framework/sdk-parent/sdk/pom.xml
@@ -162,10 +162,31 @@
             <version>${quartz-starter.version}</version>
         </dependency>
         <!-- shiro   -->
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-spring-boot-web-starter</artifactId>
+            <version>${shiro.version}</version>
+            <classifier>jakarta</classifier>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.shiro</groupId>
+                    <artifactId>shiro-spring-boot-starter</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.shiro</groupId>
+                    <artifactId>shiro-web</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.shiro</groupId>
+                    <artifactId>shiro-spring</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.apache.shiro</groupId>
             <artifactId>shiro-spring-boot-starter</artifactId>
             <version>${shiro.version}</version>
+            <classifier>jakarta</classifier>
             <exclusions>
                 <exclusion>
                     <groupId>org.apache.shiro</groupId>
@@ -182,6 +203,18 @@
             <artifactId>shiro-web</artifactId>
             <version>${shiro.version}</version>
             <classifier>jakarta</classifier>
+            <exclusions>
+                <exclusion>
+                    <artifactId>shiro-core</artifactId>
+                    <groupId>org.apache.shiro</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>${shiro.version}</version>
+            <classifier>jakarta</classifier>
         </dependency>
         <dependency>
             <groupId>org.apache.shiro</groupId>
@@ -193,6 +226,10 @@
                     <artifactId>shiro-web</artifactId>
                     <groupId>org.apache.shiro</groupId>
                 </exclusion>
+                <exclusion>
+                    <artifactId>shiro-core</artifactId>
+                    <groupId>org.apache.shiro</groupId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
index 8cc67756ed..63b169ac68 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
@@ -51,14 +51,6 @@ public class ShiroConfig {
         return shiroFilterFactoryBean;
     }
 
-    @Bean(name = "shiroFilter")
-    public FilterRegistrationBean<Filter> shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception {
-        FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
-        registration.setFilter((Filter) Objects.requireNonNull(shiroFilterFactoryBean.getObject()));
-        registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
-        return registration;
-    }
-
     @Bean
     public MemoryConstrainedCacheManager memoryConstrainedCacheManager() {
         return new MemoryConstrainedCacheManager();
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
index 67220da49a..c58d9d2903 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
@@ -5,5 +5,5 @@ import org.apache.ibatis.annotations.Param;
 import java.util.List;
 
 public interface ExtCheckOwnerMapper {
-    boolean checkoutOwner(@Param("table") String resourceType, @Param("projectId") String projectId, @Param("ids") List ids);
+    boolean checkoutOwner(@Param("table") String resourceType, @Param("userId") String userId, @Param("ids") List ids);
 }
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
index e3f65a7ab6..cac10e8745 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
@@ -2,12 +2,15 @@
 <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
 <mapper namespace="io.metersphere.base.mapper.ext.ExtCheckOwnerMapper">
     <select id="checkoutOwner" resultType="boolean">
-        SELECT count(id) = ${ids.size()}
-        FROM ${table}
-        WHERE project_id = #{projectId}
-        and id in
+        SELECT count(1) > 0
+        FROM user_group
+        WHERE source_id IN (SELECT project_id
+        FROM ${table} JOIN project ON ${table}.project_id = project.id
+        WHERE ${table}.id IN
         <foreach collection="ids" item="id" separator="," open="(" close=")">
             #{id}
-        </foreach>
+        </foreach>)
+        AND user_id = #{userId}
+
     </select>
-</mapper>
\ No newline at end of file
+</mapper>
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
index ceac0e9794..45d4df0fd5 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
@@ -3,9 +3,9 @@ package io.metersphere.controller.handler;
 
 import io.metersphere.commons.exception.MSException;
 import io.metersphere.commons.utils.LogUtil;
-import org.apache.shiro.ShiroException;
 import org.apache.shiro.authz.UnauthorizedException;
 
+import org.apache.shiro.lang.ShiroException;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
index 6664fe802b..d1a01b83de 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
@@ -7,8 +7,13 @@ import io.metersphere.commons.exception.MSException;
 import io.metersphere.commons.utils.SessionUtils;
 import io.metersphere.i18n.Translator;
 import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.web.util.WebUtils;
 import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.After;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Before;
 import org.aspectj.lang.annotation.Pointcut;
@@ -20,9 +25,10 @@ import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
 
 import java.lang.reflect.Method;
-import java.util.Arrays;
 import java.util.List;
 
 
@@ -43,6 +49,16 @@ public class CheckOwnerAspect {
     @Before("pointcut()")
     public void before(JoinPoint joinPoint) {
 
+        // apikey 过来的请求
+        RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+        if (requestAttributes != null) {
+            HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(RequestAttributes.REFERENCE_REQUEST);
+            if (ApiKeyHandler.isApiKeyCall(request) && !SecurityUtils.getSubject().isAuthenticated()) {
+                String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
+                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
+            }
+        }
+
         //从切面织入点处通过反射机制获取织入点处的方法
         MethodSignature signature = (MethodSignature) joinPoint.getSignature();
         //获取切入点所在的方法
@@ -59,6 +75,7 @@ public class CheckOwnerAspect {
             return;
         }
 
+
         // 操作内容
         //获取方法参数名
         String[] params = discoverer.getParameterNames(method);
@@ -73,14 +90,27 @@ public class CheckOwnerAspect {
         Expression titleExp = parser.parseExpression(resourceId);
         Object v = titleExp.getValue(context, Object.class);
         if (v instanceof String id) {
-            if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), List.of(id))) {
+            if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getUserId(), List.of(id))) {
                 MSException.throwException(Translator.get("check_owner_case"));
             }
         }
         if (v instanceof List ids) {
-            if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), ids)) {
+            if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getUserId(), ids)) {
                 MSException.throwException(Translator.get("check_owner_case"));
             }
         }
     }
+
+    @After("pointcut()")
+    public void after() {
+        // apikey 过来的请求
+        RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+        if (requestAttributes != null) {
+            HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(RequestAttributes.REFERENCE_REQUEST);
+            // apikey 退出
+            if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request)) && SecurityUtils.getSubject().isAuthenticated()) {
+                SecurityUtils.getSubject().logout();
+            }
+        }
+    }
 }
diff --git a/pom.xml b/pom.xml
index e392ad2d52..f0ee528815 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.2.4</version>
+        <version>3.2.6</version>
         <relativePath/>
     </parent>
 
@@ -23,7 +23,7 @@
         <spring-cloud.version>2023.0.0</spring-cloud.version>
         <dubbo.version>2.7.22</dubbo.version>
         <platform-plugin-sdk.version>1.6.0</platform-plugin-sdk.version>
-        <shiro.version>1.13.0</shiro.version>
+        <shiro.version>2.0.1</shiro.version>
         <java-websocket.version>1.5.3</java-websocket.version>
         <easyexcel.version>3.1.1</easyexcel.version>
         <dom4j.version>2.1.4</dom4j.version>